Cashout Service for Ransomware Scammers

There are 1,001 ways to swindle people online, but the hardest part for crooks is converting those ill-gotten gains into cash. A new service catering to purveyors of ransomware — malware that hijacks PCs until victims pay a ransom – levees a hefty fee for laundering funds from these scams, and it does so by abusing a legitimate Web site that allows betting on dog and horse races in the United States.

Ransonware scam spoofing the DHS to obtain Moneypak/unlock codes.

Ransonware scam spoofing the DHS to obtain Moneypak/unlock codes. Source:

Ransomware is most often distributed via hacked or malicious sites that exploit browser vulnerabilities.  Typically, these scams impersonate the Department of Homeland Security or the FBI (or the equivalent federal investigative authority in the victim’s country) and try to frighten people into paying fines to avoid prosecution for supposedly downloading child pornography and pirated content.

Ransomware locks the victim’s PC until he either pays the ransom or finds a way to remove the malware. Victims are instructed to pay the ransom by purchasing a prepaid MoneyPak card, sold at everything from Walgreens to Wal-Mart (some scams tell victims to pay using a PaySafe or Ukash card). Victims are then told to send the attackers a 14-digit voucher code that allows the bad guys to redeem those MoneyPak vouchers for cash.

Trouble is, taking funds off of a MoneyPak requires either spending it at stores that accept it, or hooking it up to a U.S. bank account, to PayPal, or to a prepaid Visa or Mastercard. What’s more, most miscreants who are even halfway competent at spreading ransomware can expect to collect dozens of MoneyPak codes per day, so cashing out via the above-mentioned methods simply does not scale well for successful bad guys (particularly those who live outside of the United States).

Last week, I stumbled on a ransomware cashout service hosted in Minsk, Belarus that helps simplify the process. It checks the balances of MoneyPak codes by abusing a feature built into, a legitimate and legal site where gamblers can go to bet on dog and horse races in the United States.  Specifically, the ransomware cashout service queries a page at that lets customers fund their betting accounts using MoneyPak.

I reached out to’s operations team and spoke with a woman who would only give her name as “Leslie.” Leslie said the company had already flagged the account that was being used to check the MoneyPak voucher codes.

“This account was already flagged as some type of bot or compromise, and was set to non-wagering,” she said, explaining that this status prevents customer accounts from placing bets on races. Leslie said Betamerica scrutinizes the Moneypak activity because fraudsters have tried to use the codes to launder money.

“We are pretty diligent, because in the past we have had [individuals who] will try to do a Moneypak deposit and then do a withdrawal, basically trying to launder it. Bottom line is that money has to be wagered. It’s not going to be returned to you in another form.”

When I first encountered this ransomware cashout service and discovered the connection to Betamerica, I was sure the miscreants were trying to launder money through the betting site. But after my conversation with Leslie, the true scope of this ransomware operation began to come into focus. It appears to involve the cooperation of several sets of actors:

MoneyPak cashout scheme.

Scheme to cash out $300 MoneyPak vouchers obtained from ransomware victims.

      • The ransomware victims who agree to purchase MoneyPak vouchers to regain control over their PCs.
      • The guys operating the botnets that are pushing ransomware, locking up victim PCs, and extracting MoneyPak voucher codes from victims.
      • The guy(s) running this cashout service.
      • The “cashiers” or “cashers” on the back end who are taking the Moneypak codes submitted to the cashing service, linking those codes to fraudulently-obtained prepaid debit cards, and then withdrawing the funds via ATMs and wiring the proceeds back to the cashing service, minus their commission. The cashing service then credits a percentage of the MoneyPak voucher code values to the ransomware peddler’s account.

How much does the cashout service charge for all this work? More than half of the value of the MoneyPaks, it would seem. When a user logs in to the criminal service, he is greeted with the following message:

A MoneyPak cashout service.

A MoneyPak cashout service.

“Dear clients, due to decrease of infection rate on exploits we are forced to lift the price. The price is now 0.6. And also, I explained the rules for returns many times, we return only cheques which return on my side if you cash them out after then we lock the account! There are many clients who don’t return anything, and I will work only with these people now. I warn you.”

In a different portion of the cashout site, there is another ad that offers “huge deposits” of PaySafe cards from Mexico for a quarter of the price of their balances.

“There are huge deposits Paysafecard – Mexico – for 25% of the face value!  Get rid of the stocks!”

Interestingly, this service also employs a free CAPTCHA service from Microsoft, ostensibly to block or to limit the number of successfully checked MoneyPaks that a customer can redeem at any given time. It’s not clear which ransomware scam(s) these MoneyPaks are coming from, but the bulk of the MoneyPak voucher codes submitted to the service indicate that the scammers responsible for collecting the vouchers are extorting their victims for $300.


I can’t be certain how many MoneyPak voucher codes have been cashed using this service, but there appear to have been nearly 24,000 MoneyPak codes checked through it so far. At $300 apiece, that would mean this service has cleared more than $7 million in ransom money from ransomware victims.

To say that international law enforcement bodies are interested in cracking down on ransomware schemes is probably a major understatement. Ransomware scams frequently accuse victims of downloading child porn, and I think it’s worth noting that the drive to incarcerate those responsible for producing and spreading  child porn has a funny way of engendering cooperation between international law enforcement agencies that don’t always work so well together to fight other types of cybercrime. I’d wager that the only way to ratchet up that level of cooperation is to invoke the specter of child  porn and to do so by impersonating nearly every major national law enforcement agency on the planet.

For some perspective on how rampant these ransomware schemes have become, look no further than the FBI’s 2012 Internet Crime Report (PDF), released May 14: According to the FBI, “the most common complaints received in 2012 included FBI impersonation e-mail scams, various intimidation crimes, and scams that used computer ‘scareware’ to extort money from Internet users.”

I’d like to thank Alex Holden, chief information security officer at Hold Security, for his invaluable assistance in researching the workings of this cashout service.

Оставьте комментарий